diff options
author | Patrick McHardy <kaber@trash.net> | 2009-08-10 11:14:59 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-08-10 11:14:59 -0400 |
commit | dc05a564ab1b3a1957927da50912964b61f7da69 (patch) | |
tree | 489905675f9954e5bf160a2eff6ea6ce93472d61 /net/ipv4 | |
parent | be39ee11cd1f67b51ac8e71d177a981eb34f2ab2 (diff) | |
parent | e2fe35c17fed62d4ab5038fa9bc489e967ff8416 (diff) |
Merge branch 'master' of git://dev.medozas.de/linux
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 44 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 48 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_filter.c | 8 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 12 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 6 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 8 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 8 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_rule.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 8 |
9 files changed, 88 insertions, 56 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 7505dff4ffdf..7bc11ffbb845 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * Copyright (C) 2002 David S. Miller (davem@redhat.com) | 8 | * Copyright (C) 2002 David S. Miller (davem@redhat.com) |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
12 | #include <linux/kernel.h> | 12 | #include <linux/kernel.h> |
13 | #include <linux/skbuff.h> | 13 | #include <linux/skbuff.h> |
14 | #include <linux/netdevice.h> | 14 | #include <linux/netdevice.h> |
@@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
341 | } | 341 | } |
342 | 342 | ||
343 | /* All zeroes == unconditional rule. */ | 343 | /* All zeroes == unconditional rule. */ |
344 | static inline int unconditional(const struct arpt_arp *arp) | 344 | static inline bool unconditional(const struct arpt_arp *arp) |
345 | { | 345 | { |
346 | unsigned int i; | 346 | static const struct arpt_arp uncond; |
347 | 347 | ||
348 | for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++) | 348 | return memcmp(arp, &uncond, sizeof(uncond)) == 0; |
349 | if (((__u32 *)arp)[i]) | ||
350 | return 0; | ||
351 | |||
352 | return 1; | ||
353 | } | 349 | } |
354 | 350 | ||
355 | /* Figures out from what hook each rule can be called: returns 0 if | 351 | /* Figures out from what hook each rule can be called: returns 0 if |
@@ -537,12 +533,28 @@ out: | |||
537 | return ret; | 533 | return ret; |
538 | } | 534 | } |
539 | 535 | ||
536 | static bool check_underflow(struct arpt_entry *e) | ||
537 | { | ||
538 | const struct arpt_entry_target *t; | ||
539 | unsigned int verdict; | ||
540 | |||
541 | if (!unconditional(&e->arp)) | ||
542 | return false; | ||
543 | t = arpt_get_target(e); | ||
544 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
545 | return false; | ||
546 | verdict = ((struct arpt_standard_target *)t)->verdict; | ||
547 | verdict = -verdict - 1; | ||
548 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
549 | } | ||
550 | |||
540 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, | 551 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, |
541 | struct xt_table_info *newinfo, | 552 | struct xt_table_info *newinfo, |
542 | unsigned char *base, | 553 | unsigned char *base, |
543 | unsigned char *limit, | 554 | unsigned char *limit, |
544 | const unsigned int *hook_entries, | 555 | const unsigned int *hook_entries, |
545 | const unsigned int *underflows, | 556 | const unsigned int *underflows, |
557 | unsigned int valid_hooks, | ||
546 | unsigned int *i) | 558 | unsigned int *i) |
547 | { | 559 | { |
548 | unsigned int h; | 560 | unsigned int h; |
@@ -562,15 +574,21 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
562 | 574 | ||
563 | /* Check hooks & underflows */ | 575 | /* Check hooks & underflows */ |
564 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { | 576 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { |
577 | if (!(valid_hooks & (1 << h))) | ||
578 | continue; | ||
565 | if ((unsigned char *)e - base == hook_entries[h]) | 579 | if ((unsigned char *)e - base == hook_entries[h]) |
566 | newinfo->hook_entry[h] = hook_entries[h]; | 580 | newinfo->hook_entry[h] = hook_entries[h]; |
567 | if ((unsigned char *)e - base == underflows[h]) | 581 | if ((unsigned char *)e - base == underflows[h]) { |
582 | if (!check_underflow(e)) { | ||
583 | pr_err("Underflows must be unconditional and " | ||
584 | "use the STANDARD target with " | ||
585 | "ACCEPT/DROP\n"); | ||
586 | return -EINVAL; | ||
587 | } | ||
568 | newinfo->underflow[h] = underflows[h]; | 588 | newinfo->underflow[h] = underflows[h]; |
589 | } | ||
569 | } | 590 | } |
570 | 591 | ||
571 | /* FIXME: underflows must be unconditional, standard verdicts | ||
572 | < 0 (not ARPT_RETURN). --RR */ | ||
573 | |||
574 | /* Clear counters and comefrom */ | 592 | /* Clear counters and comefrom */ |
575 | e->counters = ((struct xt_counters) { 0, 0 }); | 593 | e->counters = ((struct xt_counters) { 0, 0 }); |
576 | e->comefrom = 0; | 594 | e->comefrom = 0; |
@@ -630,7 +648,7 @@ static int translate_table(const char *name, | |||
630 | newinfo, | 648 | newinfo, |
631 | entry0, | 649 | entry0, |
632 | entry0 + size, | 650 | entry0 + size, |
633 | hook_entries, underflows, &i); | 651 | hook_entries, underflows, valid_hooks, &i); |
634 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); | 652 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); |
635 | if (ret != 0) | 653 | if (ret != 0) |
636 | return ret; | 654 | return ret; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index fdefae6b5dfc..0b43fd7ca04a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -8,6 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
11 | #include <linux/cache.h> | 12 | #include <linux/cache.h> |
12 | #include <linux/capability.h> | 13 | #include <linux/capability.h> |
13 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
@@ -190,16 +191,11 @@ get_entry(void *base, unsigned int offset) | |||
190 | 191 | ||
191 | /* All zeroes == unconditional rule. */ | 192 | /* All zeroes == unconditional rule. */ |
192 | /* Mildly perf critical (only if packet tracing is on) */ | 193 | /* Mildly perf critical (only if packet tracing is on) */ |
193 | static inline int | 194 | static inline bool unconditional(const struct ipt_ip *ip) |
194 | unconditional(const struct ipt_ip *ip) | ||
195 | { | 195 | { |
196 | unsigned int i; | 196 | static const struct ipt_ip uncond; |
197 | |||
198 | for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++) | ||
199 | if (((__u32 *)ip)[i]) | ||
200 | return 0; | ||
201 | 197 | ||
202 | return 1; | 198 | return memcmp(ip, &uncond, sizeof(uncond)) == 0; |
203 | #undef FWINV | 199 | #undef FWINV |
204 | } | 200 | } |
205 | 201 | ||
@@ -315,7 +311,6 @@ ipt_do_table(struct sk_buff *skb, | |||
315 | 311 | ||
316 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 312 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
317 | const struct iphdr *ip; | 313 | const struct iphdr *ip; |
318 | u_int16_t datalen; | ||
319 | bool hotdrop = false; | 314 | bool hotdrop = false; |
320 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 315 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
321 | unsigned int verdict = NF_DROP; | 316 | unsigned int verdict = NF_DROP; |
@@ -328,7 +323,6 @@ ipt_do_table(struct sk_buff *skb, | |||
328 | 323 | ||
329 | /* Initialization */ | 324 | /* Initialization */ |
330 | ip = ip_hdr(skb); | 325 | ip = ip_hdr(skb); |
331 | datalen = skb->len - ip->ihl * 4; | ||
332 | indev = in ? in->name : nulldevname; | 326 | indev = in ? in->name : nulldevname; |
333 | outdev = out ? out->name : nulldevname; | 327 | outdev = out ? out->name : nulldevname; |
334 | /* We handle fragments by dealing with the first fragment as | 328 | /* We handle fragments by dealing with the first fragment as |
@@ -427,8 +421,6 @@ ipt_do_table(struct sk_buff *skb, | |||
427 | #endif | 421 | #endif |
428 | /* Target might have changed stuff. */ | 422 | /* Target might have changed stuff. */ |
429 | ip = ip_hdr(skb); | 423 | ip = ip_hdr(skb); |
430 | datalen = skb->len - ip->ihl * 4; | ||
431 | |||
432 | if (verdict == IPT_CONTINUE) | 424 | if (verdict == IPT_CONTINUE) |
433 | e = ipt_next_entry(e); | 425 | e = ipt_next_entry(e); |
434 | else | 426 | else |
@@ -716,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | |||
716 | return ret; | 708 | return ret; |
717 | } | 709 | } |
718 | 710 | ||
711 | static bool check_underflow(struct ipt_entry *e) | ||
712 | { | ||
713 | const struct ipt_entry_target *t; | ||
714 | unsigned int verdict; | ||
715 | |||
716 | if (!unconditional(&e->ip)) | ||
717 | return false; | ||
718 | t = ipt_get_target(e); | ||
719 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
720 | return false; | ||
721 | verdict = ((struct ipt_standard_target *)t)->verdict; | ||
722 | verdict = -verdict - 1; | ||
723 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
724 | } | ||
725 | |||
719 | static int | 726 | static int |
720 | check_entry_size_and_hooks(struct ipt_entry *e, | 727 | check_entry_size_and_hooks(struct ipt_entry *e, |
721 | struct xt_table_info *newinfo, | 728 | struct xt_table_info *newinfo, |
@@ -723,6 +730,7 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
723 | unsigned char *limit, | 730 | unsigned char *limit, |
724 | const unsigned int *hook_entries, | 731 | const unsigned int *hook_entries, |
725 | const unsigned int *underflows, | 732 | const unsigned int *underflows, |
733 | unsigned int valid_hooks, | ||
726 | unsigned int *i) | 734 | unsigned int *i) |
727 | { | 735 | { |
728 | unsigned int h; | 736 | unsigned int h; |
@@ -742,15 +750,21 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
742 | 750 | ||
743 | /* Check hooks & underflows */ | 751 | /* Check hooks & underflows */ |
744 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 752 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
753 | if (!(valid_hooks & (1 << h))) | ||
754 | continue; | ||
745 | if ((unsigned char *)e - base == hook_entries[h]) | 755 | if ((unsigned char *)e - base == hook_entries[h]) |
746 | newinfo->hook_entry[h] = hook_entries[h]; | 756 | newinfo->hook_entry[h] = hook_entries[h]; |
747 | if ((unsigned char *)e - base == underflows[h]) | 757 | if ((unsigned char *)e - base == underflows[h]) { |
758 | if (!check_underflow(e)) { | ||
759 | pr_err("Underflows must be unconditional and " | ||
760 | "use the STANDARD target with " | ||
761 | "ACCEPT/DROP\n"); | ||
762 | return -EINVAL; | ||
763 | } | ||
748 | newinfo->underflow[h] = underflows[h]; | 764 | newinfo->underflow[h] = underflows[h]; |
765 | } | ||
749 | } | 766 | } |
750 | 767 | ||
751 | /* FIXME: underflows must be unconditional, standard verdicts | ||
752 | < 0 (not IPT_RETURN). --RR */ | ||
753 | |||
754 | /* Clear counters and comefrom */ | 768 | /* Clear counters and comefrom */ |
755 | e->counters = ((struct xt_counters) { 0, 0 }); | 769 | e->counters = ((struct xt_counters) { 0, 0 }); |
756 | e->comefrom = 0; | 770 | e->comefrom = 0; |
@@ -813,7 +827,7 @@ translate_table(const char *name, | |||
813 | newinfo, | 827 | newinfo, |
814 | entry0, | 828 | entry0, |
815 | entry0 + size, | 829 | entry0 + size, |
816 | hook_entries, underflows, &i); | 830 | hook_entries, underflows, valid_hooks, &i); |
817 | if (ret != 0) | 831 | if (ret != 0) |
818 | return ret; | 832 | return ret; |
819 | 833 | ||
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index c30a969724f8..97dbd94a8e37 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
@@ -57,7 +57,7 @@ static struct xt_table packet_filter = { | |||
57 | .name = "filter", | 57 | .name = "filter", |
58 | .valid_hooks = FILTER_VALID_HOOKS, | 58 | .valid_hooks = FILTER_VALID_HOOKS, |
59 | .me = THIS_MODULE, | 59 | .me = THIS_MODULE, |
60 | .af = AF_INET, | 60 | .af = NFPROTO_IPV4, |
61 | }; | 61 | }; |
62 | 62 | ||
63 | /* The work comes in here from netfilter.c. */ | 63 | /* The work comes in here from netfilter.c. */ |
@@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
102 | { | 102 | { |
103 | .hook = ipt_local_in_hook, | 103 | .hook = ipt_local_in_hook, |
104 | .owner = THIS_MODULE, | 104 | .owner = THIS_MODULE, |
105 | .pf = PF_INET, | 105 | .pf = NFPROTO_IPV4, |
106 | .hooknum = NF_INET_LOCAL_IN, | 106 | .hooknum = NF_INET_LOCAL_IN, |
107 | .priority = NF_IP_PRI_FILTER, | 107 | .priority = NF_IP_PRI_FILTER, |
108 | }, | 108 | }, |
109 | { | 109 | { |
110 | .hook = ipt_hook, | 110 | .hook = ipt_hook, |
111 | .owner = THIS_MODULE, | 111 | .owner = THIS_MODULE, |
112 | .pf = PF_INET, | 112 | .pf = NFPROTO_IPV4, |
113 | .hooknum = NF_INET_FORWARD, | 113 | .hooknum = NF_INET_FORWARD, |
114 | .priority = NF_IP_PRI_FILTER, | 114 | .priority = NF_IP_PRI_FILTER, |
115 | }, | 115 | }, |
116 | { | 116 | { |
117 | .hook = ipt_local_out_hook, | 117 | .hook = ipt_local_out_hook, |
118 | .owner = THIS_MODULE, | 118 | .owner = THIS_MODULE, |
119 | .pf = PF_INET, | 119 | .pf = NFPROTO_IPV4, |
120 | .hooknum = NF_INET_LOCAL_OUT, | 120 | .hooknum = NF_INET_LOCAL_OUT, |
121 | .priority = NF_IP_PRI_FILTER, | 121 | .priority = NF_IP_PRI_FILTER, |
122 | }, | 122 | }, |
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 4087614d9519..28647f10aa7e 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
@@ -68,7 +68,7 @@ static struct xt_table packet_mangler = { | |||
68 | .name = "mangle", | 68 | .name = "mangle", |
69 | .valid_hooks = MANGLE_VALID_HOOKS, | 69 | .valid_hooks = MANGLE_VALID_HOOKS, |
70 | .me = THIS_MODULE, | 70 | .me = THIS_MODULE, |
71 | .af = AF_INET, | 71 | .af = NFPROTO_IPV4, |
72 | }; | 72 | }; |
73 | 73 | ||
74 | /* The work comes in here from netfilter.c. */ | 74 | /* The work comes in here from netfilter.c. */ |
@@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
162 | { | 162 | { |
163 | .hook = ipt_pre_routing_hook, | 163 | .hook = ipt_pre_routing_hook, |
164 | .owner = THIS_MODULE, | 164 | .owner = THIS_MODULE, |
165 | .pf = PF_INET, | 165 | .pf = NFPROTO_IPV4, |
166 | .hooknum = NF_INET_PRE_ROUTING, | 166 | .hooknum = NF_INET_PRE_ROUTING, |
167 | .priority = NF_IP_PRI_MANGLE, | 167 | .priority = NF_IP_PRI_MANGLE, |
168 | }, | 168 | }, |
169 | { | 169 | { |
170 | .hook = ipt_local_in_hook, | 170 | .hook = ipt_local_in_hook, |
171 | .owner = THIS_MODULE, | 171 | .owner = THIS_MODULE, |
172 | .pf = PF_INET, | 172 | .pf = NFPROTO_IPV4, |
173 | .hooknum = NF_INET_LOCAL_IN, | 173 | .hooknum = NF_INET_LOCAL_IN, |
174 | .priority = NF_IP_PRI_MANGLE, | 174 | .priority = NF_IP_PRI_MANGLE, |
175 | }, | 175 | }, |
176 | { | 176 | { |
177 | .hook = ipt_forward_hook, | 177 | .hook = ipt_forward_hook, |
178 | .owner = THIS_MODULE, | 178 | .owner = THIS_MODULE, |
179 | .pf = PF_INET, | 179 | .pf = NFPROTO_IPV4, |
180 | .hooknum = NF_INET_FORWARD, | 180 | .hooknum = NF_INET_FORWARD, |
181 | .priority = NF_IP_PRI_MANGLE, | 181 | .priority = NF_IP_PRI_MANGLE, |
182 | }, | 182 | }, |
183 | { | 183 | { |
184 | .hook = ipt_local_hook, | 184 | .hook = ipt_local_hook, |
185 | .owner = THIS_MODULE, | 185 | .owner = THIS_MODULE, |
186 | .pf = PF_INET, | 186 | .pf = NFPROTO_IPV4, |
187 | .hooknum = NF_INET_LOCAL_OUT, | 187 | .hooknum = NF_INET_LOCAL_OUT, |
188 | .priority = NF_IP_PRI_MANGLE, | 188 | .priority = NF_IP_PRI_MANGLE, |
189 | }, | 189 | }, |
190 | { | 190 | { |
191 | .hook = ipt_post_routing_hook, | 191 | .hook = ipt_post_routing_hook, |
192 | .owner = THIS_MODULE, | 192 | .owner = THIS_MODULE, |
193 | .pf = PF_INET, | 193 | .pf = NFPROTO_IPV4, |
194 | .hooknum = NF_INET_POST_ROUTING, | 194 | .hooknum = NF_INET_POST_ROUTING, |
195 | .priority = NF_IP_PRI_MANGLE, | 195 | .priority = NF_IP_PRI_MANGLE, |
196 | }, | 196 | }, |
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index e5356da1fb54..494784c999eb 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
@@ -40,7 +40,7 @@ static struct xt_table packet_raw = { | |||
40 | .name = "raw", | 40 | .name = "raw", |
41 | .valid_hooks = RAW_VALID_HOOKS, | 41 | .valid_hooks = RAW_VALID_HOOKS, |
42 | .me = THIS_MODULE, | 42 | .me = THIS_MODULE, |
43 | .af = AF_INET, | 43 | .af = NFPROTO_IPV4, |
44 | }; | 44 | }; |
45 | 45 | ||
46 | /* The work comes in here from netfilter.c. */ | 46 | /* The work comes in here from netfilter.c. */ |
@@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook, | |||
74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
75 | { | 75 | { |
76 | .hook = ipt_hook, | 76 | .hook = ipt_hook, |
77 | .pf = PF_INET, | 77 | .pf = NFPROTO_IPV4, |
78 | .hooknum = NF_INET_PRE_ROUTING, | 78 | .hooknum = NF_INET_PRE_ROUTING, |
79 | .priority = NF_IP_PRI_RAW, | 79 | .priority = NF_IP_PRI_RAW, |
80 | .owner = THIS_MODULE, | 80 | .owner = THIS_MODULE, |
81 | }, | 81 | }, |
82 | { | 82 | { |
83 | .hook = ipt_local_hook, | 83 | .hook = ipt_local_hook, |
84 | .pf = PF_INET, | 84 | .pf = NFPROTO_IPV4, |
85 | .hooknum = NF_INET_LOCAL_OUT, | 85 | .hooknum = NF_INET_LOCAL_OUT, |
86 | .priority = NF_IP_PRI_RAW, | 86 | .priority = NF_IP_PRI_RAW, |
87 | .owner = THIS_MODULE, | 87 | .owner = THIS_MODULE, |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 29ab630f240a..8804e1a0f915 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
@@ -61,7 +61,7 @@ static struct xt_table security_table = { | |||
61 | .name = "security", | 61 | .name = "security", |
62 | .valid_hooks = SECURITY_VALID_HOOKS, | 62 | .valid_hooks = SECURITY_VALID_HOOKS, |
63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
64 | .af = AF_INET, | 64 | .af = NFPROTO_IPV4, |
65 | }; | 65 | }; |
66 | 66 | ||
67 | static unsigned int | 67 | static unsigned int |
@@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
105 | { | 105 | { |
106 | .hook = ipt_local_in_hook, | 106 | .hook = ipt_local_in_hook, |
107 | .owner = THIS_MODULE, | 107 | .owner = THIS_MODULE, |
108 | .pf = PF_INET, | 108 | .pf = NFPROTO_IPV4, |
109 | .hooknum = NF_INET_LOCAL_IN, | 109 | .hooknum = NF_INET_LOCAL_IN, |
110 | .priority = NF_IP_PRI_SECURITY, | 110 | .priority = NF_IP_PRI_SECURITY, |
111 | }, | 111 | }, |
112 | { | 112 | { |
113 | .hook = ipt_forward_hook, | 113 | .hook = ipt_forward_hook, |
114 | .owner = THIS_MODULE, | 114 | .owner = THIS_MODULE, |
115 | .pf = PF_INET, | 115 | .pf = NFPROTO_IPV4, |
116 | .hooknum = NF_INET_FORWARD, | 116 | .hooknum = NF_INET_FORWARD, |
117 | .priority = NF_IP_PRI_SECURITY, | 117 | .priority = NF_IP_PRI_SECURITY, |
118 | }, | 118 | }, |
119 | { | 119 | { |
120 | .hook = ipt_local_out_hook, | 120 | .hook = ipt_local_out_hook, |
121 | .owner = THIS_MODULE, | 121 | .owner = THIS_MODULE, |
122 | .pf = PF_INET, | 122 | .pf = NFPROTO_IPV4, |
123 | .hooknum = NF_INET_LOCAL_OUT, | 123 | .hooknum = NF_INET_LOCAL_OUT, |
124 | .priority = NF_IP_PRI_SECURITY, | 124 | .priority = NF_IP_PRI_SECURITY, |
125 | }, | 125 | }, |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 05a9bc8df536..9ac2fdc36ecc 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
@@ -158,28 +158,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = { | |||
158 | { | 158 | { |
159 | .hook = ipv4_conntrack_in, | 159 | .hook = ipv4_conntrack_in, |
160 | .owner = THIS_MODULE, | 160 | .owner = THIS_MODULE, |
161 | .pf = PF_INET, | 161 | .pf = NFPROTO_IPV4, |
162 | .hooknum = NF_INET_PRE_ROUTING, | 162 | .hooknum = NF_INET_PRE_ROUTING, |
163 | .priority = NF_IP_PRI_CONNTRACK, | 163 | .priority = NF_IP_PRI_CONNTRACK, |
164 | }, | 164 | }, |
165 | { | 165 | { |
166 | .hook = ipv4_conntrack_local, | 166 | .hook = ipv4_conntrack_local, |
167 | .owner = THIS_MODULE, | 167 | .owner = THIS_MODULE, |
168 | .pf = PF_INET, | 168 | .pf = NFPROTO_IPV4, |
169 | .hooknum = NF_INET_LOCAL_OUT, | 169 | .hooknum = NF_INET_LOCAL_OUT, |
170 | .priority = NF_IP_PRI_CONNTRACK, | 170 | .priority = NF_IP_PRI_CONNTRACK, |
171 | }, | 171 | }, |
172 | { | 172 | { |
173 | .hook = ipv4_confirm, | 173 | .hook = ipv4_confirm, |
174 | .owner = THIS_MODULE, | 174 | .owner = THIS_MODULE, |
175 | .pf = PF_INET, | 175 | .pf = NFPROTO_IPV4, |
176 | .hooknum = NF_INET_POST_ROUTING, | 176 | .hooknum = NF_INET_POST_ROUTING, |
177 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, | 177 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, |
178 | }, | 178 | }, |
179 | { | 179 | { |
180 | .hook = ipv4_confirm, | 180 | .hook = ipv4_confirm, |
181 | .owner = THIS_MODULE, | 181 | .owner = THIS_MODULE, |
182 | .pf = PF_INET, | 182 | .pf = NFPROTO_IPV4, |
183 | .hooknum = NF_INET_LOCAL_IN, | 183 | .hooknum = NF_INET_LOCAL_IN, |
184 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, | 184 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, |
185 | }, | 185 | }, |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 6348a793936e..6448a9b7d6f0 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -62,7 +62,7 @@ static struct xt_table nat_table = { | |||
62 | .name = "nat", | 62 | .name = "nat", |
63 | .valid_hooks = NAT_VALID_HOOKS, | 63 | .valid_hooks = NAT_VALID_HOOKS, |
64 | .me = THIS_MODULE, | 64 | .me = THIS_MODULE, |
65 | .af = AF_INET, | 65 | .af = NFPROTO_IPV4, |
66 | }; | 66 | }; |
67 | 67 | ||
68 | /* Source NAT */ | 68 | /* Source NAT */ |
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 5567bd0d0750..5f41d017ddd8 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
251 | { | 251 | { |
252 | .hook = nf_nat_in, | 252 | .hook = nf_nat_in, |
253 | .owner = THIS_MODULE, | 253 | .owner = THIS_MODULE, |
254 | .pf = PF_INET, | 254 | .pf = NFPROTO_IPV4, |
255 | .hooknum = NF_INET_PRE_ROUTING, | 255 | .hooknum = NF_INET_PRE_ROUTING, |
256 | .priority = NF_IP_PRI_NAT_DST, | 256 | .priority = NF_IP_PRI_NAT_DST, |
257 | }, | 257 | }, |
@@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
259 | { | 259 | { |
260 | .hook = nf_nat_out, | 260 | .hook = nf_nat_out, |
261 | .owner = THIS_MODULE, | 261 | .owner = THIS_MODULE, |
262 | .pf = PF_INET, | 262 | .pf = NFPROTO_IPV4, |
263 | .hooknum = NF_INET_POST_ROUTING, | 263 | .hooknum = NF_INET_POST_ROUTING, |
264 | .priority = NF_IP_PRI_NAT_SRC, | 264 | .priority = NF_IP_PRI_NAT_SRC, |
265 | }, | 265 | }, |
@@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
267 | { | 267 | { |
268 | .hook = nf_nat_local_fn, | 268 | .hook = nf_nat_local_fn, |
269 | .owner = THIS_MODULE, | 269 | .owner = THIS_MODULE, |
270 | .pf = PF_INET, | 270 | .pf = NFPROTO_IPV4, |
271 | .hooknum = NF_INET_LOCAL_OUT, | 271 | .hooknum = NF_INET_LOCAL_OUT, |
272 | .priority = NF_IP_PRI_NAT_DST, | 272 | .priority = NF_IP_PRI_NAT_DST, |
273 | }, | 273 | }, |
@@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
275 | { | 275 | { |
276 | .hook = nf_nat_fn, | 276 | .hook = nf_nat_fn, |
277 | .owner = THIS_MODULE, | 277 | .owner = THIS_MODULE, |
278 | .pf = PF_INET, | 278 | .pf = NFPROTO_IPV4, |
279 | .hooknum = NF_INET_LOCAL_IN, | 279 | .hooknum = NF_INET_LOCAL_IN, |
280 | .priority = NF_IP_PRI_NAT_SRC, | 280 | .priority = NF_IP_PRI_NAT_SRC, |
281 | }, | 281 | }, |